Jacques Distler has a post about weaknesses in Rails' built-in HTML sanitizer. Is there a test suite that's been run against Drupal's filter_xss to make sure it's not vulnerable to any of these?

Comments

HedgeMage’s picture

In his talk on PHP efficiency and security at OSCMS Summit / DrupalCon last week, Rasmus talked a lot about XSS attacks on various CMSes, and Drupal did very well in comparison to the others presented. The talk was recorded, so it should be floating around the web by now.

HedgeMage